[go: up one dir, main page]

CN103988534A - Method for detection of persistent malware on a network node - Google Patents

Method for detection of persistent malware on a network node Download PDF

Info

Publication number
CN103988534A
CN103988534A CN201280061399.3A CN201280061399A CN103988534A CN 103988534 A CN103988534 A CN 103988534A CN 201280061399 A CN201280061399 A CN 201280061399A CN 103988534 A CN103988534 A CN 103988534A
Authority
CN
China
Prior art keywords
session
network node
continuation
sub
communication stream
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201280061399.3A
Other languages
Chinese (zh)
Other versions
CN103988534B (en
Inventor
米凯尔·利延斯坦
安德拉斯·梅赫斯
帕特里克·萨尔梅拉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Telefonaktiebolaget LM Ericsson AB
Original Assignee
Telefonaktiebolaget LM Ericsson AB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget LM Ericsson AB filed Critical Telefonaktiebolaget LM Ericsson AB
Publication of CN103988534A publication Critical patent/CN103988534A/en
Application granted granted Critical
Publication of CN103988534B publication Critical patent/CN103988534B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/128Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to methods and devices for detecting persistency of a first network node (12). In a first aspect of the invention, a method is provided comprising the steps of monitoring (S101), during a specified observation period, whether the first network node has established a connection to a second network node (13), and determining (S102) a total number of sessions of connectivity occurring during said specified observation period in which the first network node connects to the second network node. Further, the method comprises the steps of determining (S103), from the total number of sessions, a number of sessions comprising at least one communication flow between the first network node and the second network node, and determining (S104) inter-session persistence of the first network node on the basis of the total number of sessions and the number of sessions comprising at least one communication flow.

Description

Method for detection of the lasting Malware on network node
Technical field
The present invention relates to the method and apparatus for detection of the continuation of first network node.
Background technology
Lasting Malware is a kind of by the Malware of the common type that self is arranged on equipment and therefore can performs an action when the opening of device.So-called corpse (bot) (participation Botnet) can be classified as lasting Malware, and it utilizes network and is considered as widely one of threat the most serious on current the Internet.Common usage is, term " corpse " has referred to computer infected Malware, and this Malware allows assailant's remote control computer to execute the task to represent assailant, such as sending spam, steal information or starting the attack to other computer.Botnet is the set of this kind of corpse under co-controlling.Existed many for detection of computer with there is the technology that the Malware on the miscellaneous equipment (such as phone, panel computer etc.) of similar functions infects.Existing Host Based technology comprises that the scanning of signing is to find file infected and that controlled and to carry out behavior supervision for the unusual and/or suspicious process on equipment.Similarly, common network technology depends on detection and may infect signature or the abnormal or suspicious communication pattern that relevant attack or Malware are communicated by letter with Malware.Most of technology rely on catching with manual analyzing to create the detection rule for particular malware Malware sample.
The existing malware detection techniques of inventor known to till now has shortcoming and its ability to depend on the position that it is disposed detecting aspect of performance, for example, and on main frame or in network.Due to Malware author and attempt to safeguard between user's Safety Industry and have continuous contest, therefore constantly need new technology to improve the detection of threat such as continuing to use the Malware of network.
Summary of the invention
The object of the invention is solve or at least alleviate these problems in this area and a kind of method and apparatus that improves for detection of the rogue device in network is provided.
In a first aspect of the present invention, by a kind of method that detects the continuation of first network node, reach this object.Method comprises the following steps: during specifying observation cycle, monitor whether first network node has been established to the connection of second network node; And determine that the first network node occurring is connected to the total quantity of the connection session of second network node during described appointment observation cycle.In addition, method comprises the following steps: the quantity of determining the session that comprises at least one communication stream between first network node and second network node according to the total quantity of session; And conversation-based total quantity and the quantity that comprises the session of at least one communication stream are determined continuation between the session of first network node.
In a second aspect of the present invention, by a kind of method that detects the continuation of first network node, reach this object.Method comprises the following steps: during specifying observation cycle, monitor whether first network node has been established to the connection of second network node; And determine that during described appointment observation cycle first network node is connected to the total quantity of the connection session of second network node.In addition, method comprises the following steps: the quantity of determining the session that comprises at least one communication stream between first network node and second network node according to the total quantity of session; And at least one sessionizing is become to some sub-sessions.Then, for at least one session, determine the quantity of the sub-session comprise at least one communication stream between first network node and second network node, and the quantity based on sub-session and the quantity that comprises the sub-session of at least one communication stream are determined for continuation in the session of the first network node of at least one session.
Advantageously, the present invention take can utilize that network is attacked, the lasting Malware of Long-distance Control and/or Malware renewal etc. is target.For this reason, can find such as the universals (or at least some are for detection of exploration of malice/suspected attack behavior) that send the communication pattern between the related equipment of the malice such as spam and/or suspicious network activity, and join this detection of Malware being set up to the characteristic continuation of network service.For example, the corpse that participates in Botnet (spam sends or other) " is made a phone call repeated attempt " to one or more order and controls (C & C) server toward family.This will occur repeating whenever opening of device and while being connected to network conventionally, and at opening of device and while connecting along with the time repeats to occur.
Therefore, the signaling information in network is used to determine opening of device and is connected to the cycle of network, continues the cycle that Malware has an opportunity to use network.Promotion comprises connecting three one exemplary embodiment determining of session:
Adhere to/the attachment removal of-monitoring network or packet data protocol (PDP) context setting/release signaling (for 3GPP mobile network); And
-cycle while being assigned with IP address for equipment monitors DHCP (DHCP) signaling (for fixed network).
When connection session being detected, determine whether to exist the lasting suspicious activity that shows as in session and cross over session, the connection of for example arriving some destination.Crossing over session and this kind of continuation during session is the indication of the lasting behavior of the network equipment, its can be good will or malice.Therefore, in a first aspect of the present invention, determine continuation between the session of first network node, and in a second aspect of the present invention, determine continuation in the session of first network node.In other embodiments of the invention, the subject matter of the first and second aspects can be combined, thereby produce by continuation between session and the interior continuation of session the approach of the detection of the two continuation of further strengthening first network node.Alternatively, this can combine with the out of Memory of the possible malicious traffic of initiating about first network node and continue to provide the evidence that Malware infects.Therefore, the present invention advantageously take utilize that network is attacked, lasting Malware that Long-distance Control and/or Malware upgrade is target.
Hereinafter, the embodiment of the first and second aspects of the present invention will be discussed.
In an embodiment of the present invention, determine that between session, continuation comprises: by the quantity that comprises the session of at least one communication stream is determined to continuation ratio between session divided by the described total quantity of session; And continuation ratio and threshold value between determined session are compared, wherein, if described ratio surpasses threshold value, first network node is considered as continuing.Advantageously, by the indication of selecting whether the behavior of first network node to be considered as to malice so as to determining the appropriate threshold value of continuation ratio between session, providing.
In another embodiment of the present invention, in session, the definite of continuation comprises: at least one sessionizing is become to some sub-sessions; And the quantity of determining the sub-session that comprises at least one communication stream between first network node and second network node at least one session, wherein, determine the interior continuation of session of first network node.In addition, in another embodiment, for at least one session, by the quantity that comprises the sub-session of at least one communication stream is compared to determine for continuation ratio in the session of this at least one session divided by the described total quantity of the sub-session of at least one session and by continuation ratio and threshold value in determined session, wherein, if described ratio surpasses threshold value, first network node is considered as continuing.Advantageously, by the indication of selecting whether the behavior of first network node to be considered as to malice so as to determining the appropriate threshold value of continuation ratio in session, providing.
In an embodiment more of the present invention, be recorded in the moment of specifying while there is the first communication stream between first network node and second network node during observation cycle.If first network node certain time during the first appointment observation cycle becomes by Malware, infect, until next observation cycle its could be detected.By ignoring the time (that is, when the first communication stream occurs) before contact for the first time, by more easily managing first network node, during given observation cycle, become infected and start to show as lasting situation.
In another embodiment of the present invention, the communication stream between first network node and second network node during specifying observation cycle is aggregated into the polymerization of communication stream set/stream.For example, because () can easily filter out single stream, so this is by the management that advantageously promotes large adfluxion to close.
Also the equipment by the continuation for detection of first network node corresponding to the method for the first and second aspects of the present invention with above discussing reaches object of the present invention.
The present invention advantageously utilizes the network information and carries out the analysis of the network information is carried out to detection of malicious software.Continue Malware (such as corpse) and often utilize as much as possible network to connect to provide maximum effect power of Malware author, and advantageously by network signal information, determine that whether Malware is movable on network when equipment has been established to the connection of network.This changes into the detection performance of improvement and the false positive rate of reduction, and this two manual analysis of detection alarm of cost be associated with to(for) the better protection and the reduction that provide for Malware is very important.
Note, the present invention relates to likely combining of listed feature in claims.By research appended claims and following description, will easily know other features and advantages of the present invention.It is to be appreciated that those skilled in the art that and can combine different characteristic of the present invention, to produce except the embodiment embodiment hereinafter described.
Accompanying drawing explanation
The present invention is now described with reference to the accompanying drawings by way of example, in accompanying drawing:
Fig. 1 shows and realizes mobile network of the present invention;
Fig. 2 shows and realizes fixed access network network of the present invention;
Fig. 3 shows and sets forth according to the flow chart of the method for the continuation of the detection first network node of the embodiment of the present invention;
Fig. 4 shows the flow chart of method that elaboration detects the continuation of first network node according to another embodiment of the present invention;
Fig. 5 shows the flow chart of method that elaboration detects the continuation of first network node according to another embodiment of the present invention; And
Fig. 6 shows the scheme of more detailed method that elaboration detects the continuation of first network node according to another embodiment of the present invention.
Embodiment
Now at the accompanying drawing of hereinafter with reference specific embodiment of the present invention shown in it, the present invention is more fully described.Yet the present invention can be presented as many multi-form, and should not be understood to be confined to embodiment described in this paper; But, with way of example, provide these embodiment to make the disclosure by comprehensive and complete, and pass on scope of the present invention to those skilled in the art comprehensively.
Can in mobile network's context, implement the present invention.In order not lose generality, by determining by the mode of PDP Context signaling, connect session in an embodiment of the present invention.PDP Context is to be positioned at the data structure that Serving GPRS Support Node (SGSN) and Gateway GPRS Support Node (GGSN) are located, the session information that it comprises this subscriber when subscriber has active session.When mobile module is wanted to use GPRS, first it must adhere to and then activate PDP Context.This distributes PDP Context data structure in the GGSN of the access point of the current SGSN accessing of user and service-user.Therefore, advantageously with PDP Context, determine the connection session of first network node; By research PDP Context, can determine whether potential malice first network node is connected to network.As mentioned before, in alternative, use other event (being called again relevant with " signaling ") in international mobile subscriber sign (IMSI) network attachment/detachment process or chain of command to determine session.In addition,, although carry out description process according to the single PDP Context of each user, the PDP Context that is expanded to a plurality of whiles is apparent to those skilled in the art.
Fig. 1 provides the invention process in mobile network's wherein elaboration.For the object of setting forth, the malware detection function (MDF) 15 of the information that method is collected by the node depending on from mobile network 11 is according to an embodiment of the invention carried out.
According to embodiments of the invention, when first network node 12 is set up or attempt to set up with the communicating by letter of second network node 13, to the detection of the continuation of first network node 12, can be born by the GGSN14 of enforcement MDF15.Should be noted that, MDF15 can implement in other networking component except GGSN14, for example, the in the situation that of 3G network, be implemented in radio network controller (RNC), or the in the situation that of Long Term Evolution (LTE) network, be implemented in core network Mobility Management Entity (MME), be implemented on eNodeB/Node B, generic router, switch or safety device as in intrusion detection/system of defense or fire compartment wall.Therefore, the function of the defined continuation for detection of network node of different embodiments of the invention is not necessarily comprised in single network assembly, but can be distributed in a plurality of networking components.MDF15 is implemented on such as the advantage in the node of GGSN (or SGSN) and is signaling (PDP Context) and the Business Stream that it can access needle Dui compare large user colony.If instead utilize IMSI network attachment/attachment removal signaling to determine, connect session, MME is a favourable option.If further outwards moved in radio access network (RAN) functional, move to RNC or even move to NodeB/eNodeB, still can obtain session information, but be for less user's set.In fixed network, router/switch/node can be monitored authentication, authorization and accounting (AAA) or DHCP signaling, or can self provide signaling information by AAA or DICP server.In addition, any one in above node can be forwarded to information the server that application of the present invention is implemented in operation in security operations center or network operation center, etc.
In fact, MDF is presented as the form of one or more microprocessor, and this one or more microprocessor is arranged to carries out the computer program 17 that downloads to the appropriate storage medium 16 (such as RAM, flash memory or hard disk) being associated with microprocessor.Microprocessor 15 is arranged to: when comprising that suitable computer program 17 that computer can executive module is downloaded to memory 16 and is carried out by microprocessor 15, realize according to the method for the embodiment of the present invention at least partly.Storage medium 16 can be the computer program that comprises computer program 17.The mode of suitable computer program (such as floppy disk, compact disk or memory stick) that alternatively, can be by load capacity calculation machine program 17 is transferred to storage medium 16 by computer program 17.Alternative as another, can computer program 17 be downloaded to storage medium 16 by network.Microprocessor 15 can alternatively be presented as the forms such as application-specific integrated circuit (ASIC) (ASIC), field programmable gate array (FPGA), CPLD (CPLD).
Also with reference to Fig. 1, from chain of command node 18 (or a plurality of node) (such as router or switch) or the specific node of some mobile networks (such as GGSN, grouped data network gateway (PDN-GW), gateway (SGW), SGSN, MME, RNC, BSC, NodeB, eNodeB etc.) that can access control face business, collect chain of command information.Mobile network's chain of command information can comprise about network attachment/attachment removal event or PDP context activation/deexcitation event or with the data of equipment (such as first network node 12) and connects the information of other relevant event.In addition, certain relevant or similar information can be obtained from Dynamic Host Configuration Protocol server or aaa server.Another possibility is to collect replenishment control surface information from subscriber equipment.Unless otherwise described, below describe focus and concentrate on the chain of command information from mobile network node.Signalling analysis function in MDF15 receives chain of command information and extracts the information relevant with network attachment/attachment removal and/or PDP Context event, to create the first node session information for being further analyzed.Its also extract continue subscriber identifier and its to the binding of " current " IP address (becoming in the time of may being) so that business is belonged to subscriber.(below about fixing access, describe the use from the information of DHCP or AAA, but it can be also the option for mobile access).
From node that can access user face business (, user face nodes 19, such as router or switch) or the peculiar node of some mobile networks (such as GGSN, PDN-GW, SGW, SGSN, RNC, BSC, NodeB, eNodeB etc.) is collected stream rank (such as NetF low or similar stream summary record) or the service surface information of the rank (packet capture wholly or in part) of dividing into groups.Other possibility is to collect supplementary service information from subscriber equipment.Business diagnosis function in MDF15 receives user's face business information and is aggregated to where necessary stream (if it is not in stream rank).It also receives chain of command relevant information from signalling analysis function, and uses it to Business Stream, to assign subscriber identifier.
Sustainable analysis function in MDF15 can receive the information about user conversation from signalling analysis function, and the information receiving about user traffic flow from business analytic function continues to connect to find.
Attack/suspicious analytic function can receive about attacking and the information of unnecessary business from network security node (such as the endpoint security software fire compartment wall, intruding detection system, junk mail filter device, UTM device, subscriber equipment etc.).It can also be from network operation and management node receive some business of indication and cause network problem or suspicious information in this regard.Process (being for example correlated with) and transmit this kind and import warning into for further analysis.
Correlation function can be by the business information from business diagnosis function, from sustainable analysis function, about the information that continue to connect and from the warning of importing into of attacks/suspicious analytic function, check whether problem behavior shows as and the lasting join dependency that may indicate the Long-distance Control that causes problem behavior.If it finds for the supporting evidence that causes the lasting Malware of problem, it sends and reports to the police to the warning function that can warn Virtual network operator staff and/or affected user.
With reference to Fig. 2, the present invention can also be implemented in fixed access network network 21, and wherein, same reference numerals represents the networking component of the same type discussed in conjunction with Fig. 1.Be implemented in fixed network and the type that is implemented on difference in wireless network and is used signaling information, wherein, in fixed network 21, use Dynamic Host Configuration Protocol server and/or aaa server 28.Validated user authentication period (from aaa server) or effective IP lease (from Dynamic Host Configuration Protocol server) can be with connecting the indication of session and permanent network node identifier being associated with IP address.Therefore, the internal work of MDF15 is identical in essence, but it is slightly different to be supplied to the input of signalling analysis function.
Fig. 3 shows and sets forth according to the flow chart of the method for the continuation of the detection first network node of the embodiment of the present invention.At step S101, MDF15 (as mentioned before, it can be implemented in GGSN14) monitors whether first network node 12 has been established to the connection of second network node 13 during specifying observation cycle.Then, MDF15 determines the total quantity that is connected session betiding during specifying observation cycle between first network node 12 and second network node 13 in step S102.This can implement by analyzing the mode of PDP Context.Then, in step S103, according to the total quantity of session, determine the quantity of the session that comprises at least one communication stream between first network node 12 and second network node 13.Finally, in step S104, MDF15 determines continuation between the session of first network node 12 according to the described total quantity of session and the quantity that comprises the session of at least one communication stream.Although method shown in Fig. 3 shows the detection of the network node continuation between first network node 12 and single second network node 13, in fact can implement continuation for several different destination network nodes and detect.
Fig. 4 has shown the flow chart of setting forth the method for the continuation that detects according to another embodiment of the present invention first network node.At step S201, the MDF15 implementing in GGSN14 for example monitors whether first network node 12 has been established to the connection of second network node 13 during specifying observation cycle.Then, MDF15 in step S202, determine during described appointment observation cycle in the total quantity that is connected session occurring between first network node and second network node, and in step S203, according to the total quantity of session, determine the quantity of the session that comprises at least one communication stream between first network node 12 and second network node 13.Therefore,, as seen in the flow chart of Fig. 4, first three step S201 of the method for this specific embodiment of the present invention is identical to S103 with first three step S101 of the method shown in Fig. 3 to S203.In addition, in step S204, at least one sessionizing is become to some sub-sessions, and in step S205, at least one session, determine the quantity of the sub-session that comprises at least one communication stream between first network node 12 and second network node 13.Finally, in step S206, the quantity of MDF15 based on sub-session and the described quantity that comprises the sub-session of at least one communication stream, continuation in the session of definite first network node 12 at least one session.
As mentioned before, the corresponding embodiment of Fig. 3 and Fig. 4 can be combined into and determine between session in continuation and session that continuation is with the method for identification hostile network node.In the flow chart shown in Fig. 5, set forth this embodiment of the present invention.As described in conjunction with Fig. 3 and Fig. 4, MDF15, in step S301, monitors whether first network node 12 has been established to the connection of second network node 13 during specifying observation cycle.Then, MDF15 determines during specifying observation cycle the total quantity that is connected session of generation between first network node 12 and second network node 13 in step S302.This can implement by analyzing PDP Context.Then,, in step S303, according to the total quantity of session, determine the quantity of the session that comprises at least one communication stream between first network node 12 and second network node 13.In step S304, MDF15 determines continuation between the session of first network node 12 according to the described total quantity of session and the quantity that comprises the session of at least one communication stream.In addition,, in this specific embodiment, after executed step S303, at least one sessionizing is become to some sub-sessions in step S305.After this, in step S306, at least one session, determine the quantity of the sub-session that comprises at least one communication stream between first network node 12 and second network node 13.In addition, in step S307, MDF15 is according to the quantity of sub-session and comprise the described quantity of the sub-session of at least one communication stream, determines for continuation in the session of the first network node 12 of at least one session.
With reference to Fig. 5, it should be noted in the discussion above that step S304 can carry out to S307 with step S305 simultaneously.Yet step S304 also can carry out at step S305 before S307, or vice versa.
With reference to Fig. 6, set forth according to the more detailed method of the continuation of the detection first network node of the embodiment of the present invention.In service surface, two-way (IP) stream (that is, defining respectively the information about the first and second network nodes) being defined by five-tuple < source identifier, source port, host-host protocol, destination identifier, destination port > is as follows with end event or the overtime polymerization of possibility protocol definition: the stream aggregation of going to specific destination service/second network node 13 (destination identifiers and port) from particular source/first node identifier 12 becomes to be called as the communication stream set of flowing polymerization (FA).First network node 12 is defined as the initiator of stream.Source identifier or the destination identifier (according to promoter's flow path direction) of subscriber's side be can identify by IP address, but more lasting identifier, for example IMSI preferably used for subscriber identification.In 3GPP mobile network's context, use subscriber identifier (IMSI) rather than use source node IP address for example to avoid, because the terminal point information of using the IP address (using DHCP) of dynamic assignment to be caused is mixed.Opposite side (conventionally outside at subscriber network), can claim to identify end points by IP address or dns name.
With reference to the signaling information about the session for subscriber, each stream polymerization is carried out to cross-check.This can be (for example) PDP Context information or adhere to/attachment removal of packet network signaling.According to the type of used information, session delimited in time as from the starting to end of PDP Context, or from being attached to the time of attachment removal.
The appointment observation cycle that is called as observation period forms the time cycle of collecting stream information.Fig. 6 shows for user's PDP Context and Business Stream (illustrating with different lines for different remote endpoints).Also shown is any observation period, wherein, the PDP Context of observing and stream at least in part within this period.The top row of Fig. 4 shows the active session relevant with second network node r.Three row subsequently show three different communication streams from first network node u to corresponding destination network node, and wherein, middle row shows communication stream to be monitored between first network node u and second network node r.
Therefore, specify observation cycle or observation period e at time t 1, estart and at t 2, efinish.
Stream polymerization (FA) F u, rbe defined as being included in for example, from first node u (, being identified by IMSI) to the remote endpoint/service/Section Point r communication stream set of (wherein, according to IP/DNS title and optional port/protocol definition remote endpoint/service) during observation period, wherein, t 1, fand t 2, fit is the start and end time of f.
F u, r 'be defined as superset ( ), it can be included in the stream (that is, having alternatively some historical informations) before observation period.
During specifying observation cycle, the timetable that the first communication stream occurs between first network node and second network node is shown t fc, { u, r}(for F u, r '), that is, the time of contact for the first time from first network node u and remote endpoint/service r, may adopt historical information.
Suppose that first network node u has the session aggregation S occurring in e u.That is to say S ucomprise the session s for u u(thering is beginning and/or end time in observation period), that is, when time, t 2, sut 1, e∨ t 1, su≤ t 2, eset up, wherein, t 1, suand t 2, surespectively s ustart and end time.
For F u, rsession aggregation S { u, r}(wherein, ) be all sessions for first network node u (its have to/from second network node r first time of contact t fc, { u, r}end time afterwards and at the end t of observation period 2, etime started before) set.That is to say S { u, r}it is the subset with respect to the service definition to/from particular remote end points/service/Section Point r.
Set for the active session to/from remote endpoint/service of first node u is S active , u , r = &ForAll; s &Element; S { u , r } : ( &Exists; f &Element; F u , r ^ t 1 , f &GreaterEqual; t 1 , s ^ t 2 , f &le; t 2 , s ) , Wherein, F u, rthe set from first node u to remote endpoint/service/Section Point r/ from remote endpoint/service/Section Point r to the stream of first node u, t 1, fand t 2, ftime started and the end time of f, and t 1, sand t 2, sit is time started and the end time of s.That is to say to have to/from all sessions of at least one stream of remote endpoint/service r.
With respect to the beginning of session (or certain At All Other Times point), session is divided into the have a certain fixed size session period p of 10 minutes for example i.
Set for session cycle of first node u (is called P u) comprise and belong to S uall cycles (thering is time started and/or end time in observation period), that is, and when time, t 2, pu, it 1, e∨ t 1, pu, i≤ t 2, eset up, wherein, t 1, pu, iand t 2, pu, ip u, istart and end time.
For F u, rthe set P in session cycle { u, r}(wherein, ) be S { u, r}(for F u, rsession aggregation) in session (have at t fc, { u, r}(time of contact for the first time) end time afterwards and at t e, 2(end of observation period) time started before) the rhythmic set in.That is, P { u, r}it is the subset with respect to the service definition to/from particular remote end points/service/Section Point r.
The active session periodic set P to/from remote endpoint/service r for first node u active, u, rbe S active , u , r = &ForAll; p &Element; P a : ( &Exists; f &Element; F u , r ^ t 2 , f &GreaterEqual; t 1 , p ^ t 1 , f &le; t 2 , p ) , Wherein, t 1, pand t 2, pit is the start and end time of p.That is, have to/from all session cycles of at least one stream (at Fu, in r) of remote endpoint/service/Section Point r.
Total quantity for the session relevant to remote endpoint/service r of first node u is | s{u, r}| (for the quantity of the element in the session aggregation relevant to Section Point r of first node u).
Quantity for the active session to/from remote endpoint/service r of first node u is | S active, u, r|.
Total quantity for session cycle relevant to remote endpoint/service r of first node u is | P { u, r}| (for the quantity of the element in the session periodic set relevant to Section Point r of first node u).
Quantity for active session cycle to/from remote endpoint/service/Section Point r of first node u is | P active, u, r|.
For F u, rsession between continuation ratio be | S active, u, r| ÷ | S { u, r}| (that is, the quantity of active session is divided by the total quantity of the session relevant with remote endpoint/service/Section Point r).
For F u, rsession in continuation ratio be | P active, u, r| ÷ P { u, r}| (that is, the quantity in active session cycle is divided by the total quantity in the session cycle relevant with remote endpoint/service/Section Point r).
In order to detect the Malware that continues to use network, and the test that the Sustainable Control to common remote endpoint/service/second network node r of setting up for first network node can be connected (quantity that relates to the active session cycle | P active, u, r|, continuation ratio between session | S active, u, r| ÷ | S { u, r}| and continuation ratio in session | P active, u, r| ÷ P { u, r}|) for example, similarly test and combine with attack or suspicious actions (, sending spam).That is to say, related equipment (each is all tied to customized) in suspicious actions for same type, examination is to/from the lasting connection of same remote endpoint/service, and centralized control (and provide the Malware that is remotely controlled or other evidences of (for example) Malware steal information) will be provided for it.
As discussed, in an embodiment of the present invention, continuation ratio in continuation ratio and session between session and selected threshold value can be compared to determine whether to exist continuation above.In fact, by carrying out on-the-spot test, calibrate these threshold values to find suitable value.In addition,, when lasting Malware being detected, can send and report to the police to verify and/or send and report to the police to take repair action to object network to security operations center.
Although with reference to concrete exemplary embodiment of the present invention, invention has been described, many different changes, modification etc. will become obvious to those skilled in the art.Therefore, described embodiment is not intended to restriction scope of the present invention as defined by the appended claims.

Claims (29)

1. detect a method for the continuation of first network node (12), said method comprising the steps of:
During specifying observation cycle, monitor whether (S101) described first network node has been established to the connection of second network node (13);
Determine that (S102) is in the total quantity that is connected session betiding during described appointment observation cycle between described first network node and described second network node;
According to the total quantity of session, determine that (S103) comprises the quantity of the session of at least one communication stream between described first network node and described second network node; And
Total quantity based on described session and the described quantity that comprises the session of at least one communication stream are determined continuation between the session of (S104) described first network node.
2. method according to claim 1, wherein, determine that between session, the step of continuation comprises:
By the described quantity that comprises the session of at least one communication stream is determined to continuation ratio between session divided by the total quantity of described session, and described method is further comprising the steps of:
Continuation ratio and threshold value between determined session are compared, wherein, if continuation ratio surpasses described threshold value between described session, described first network node is considered as continuing.
3. according to method in any one of the preceding claims wherein, further comprising the steps of:
At least one sessionizing (S305) is become to some sub-sessions;
For described at least one session, determine that (S306) comprises the quantity of the sub-session of at least one communication stream between described first network node (12) and described second network node (13);
Quantity based on described sub-session and for the described quantity of the sub-session that comprises at least one communication stream of described session, determines that (S307) is for continuation in the session of the described first network node of described at least one session.
4. method according to claim 3, wherein, determine that the step of continuation in session comprises:
By the described quantity that comprises the sub-session of at least one communication stream is determined to continuation ratio in the session of each session divided by the total quantity of the described sub-session of described session, and described method is further comprising the steps of:
Continuation ratio and threshold value in determined session are compared, wherein, if continuation ratio surpasses described threshold value in described session, described first network node (12) is considered as continuing.
5. according to method in any one of the preceding claims wherein, wherein, determine that the step of the total quantity that connects session comprises: the network attachment and the attachment removal information that monitor described first network node (12).
6. according to the method described in any one in claim 1~4, wherein, determine that the step of the total quantity that connects session comprises: the packet data protocol PDP Context information that monitors described first network node (12).
7. according to the method described in any one in claim 1~4, wherein, determine that the step that connects session comprises: monitor dynamic host configuration protocol DHCP request and the release of described first network node (12).
8. according to method in any one of the preceding claims wherein, further comprising the steps of:
Send the warning that the described first network node of indication (12) moves constantly.
9. according to method in any one of the preceding claims wherein, further comprising the steps of:
Be recorded in the moment while there is the first communication stream between described first network node (12) and described second network node (13) during described appointment observation cycle.
10. according to method in any one of the preceding claims wherein, further comprising the steps of:
Communication stream between described first network node (12) during described appointment observation cycle and described second network node (13) is carried out to polymerization.
11. 1 kinds of methods that detect the continuation of first network node (12), said method comprising the steps of:
During specifying observation cycle, monitor whether (S201) described first network node has been established to the connection of second network node (13);
Determine that (S202) is in the total quantity that is connected session betiding during described appointment observation cycle between described first network node and described second network node;
According to the total quantity of described session, determine that (S203) comprises the quantity of the session of at least one communication stream between described first network node and described second network node;
At least one sessionizing (S204) is become to some sub-sessions;
For described at least one session, determine that (S205) comprises the quantity of the sub-session of at least one communication stream between described first network node and described second network node; And
Quantity based on described sub-session and comprise that the described quantity of the sub-session of at least one communication stream determines that (S206) is for continuation in the session of the described first network node of described at least one session.
12. methods according to claim 11, wherein, determine that the step of continuation in session comprises:
By the quantity that comprises the sub-session of at least one communication stream is determined for continuation ratio in the session of described each session divided by the total quantity of the described sub-session for each session, wherein, based on continuation in described session, determine that the step of continuation also comprises:
Continuation ratio and threshold value in determined session are compared, wherein, if continuation ratio surpasses described threshold value in described session, described first network node (12) is considered as continuing.
13. according to the method described in any one in claim 11 or 12, further comprising the steps of:
Total quantity based on described session and the described quantity that comprises the session of at least one communication stream are determined continuation between the session of (S104) described first network node.
14. 1 kinds of equipment (14) for detection of the continuation of first network node (12), are arranged to:
During specifying observation cycle, monitor whether described first network node has been established to the connection of second network node (13);
Determine in the total quantity that is connected session betiding during described appointment observation cycle between described first network node and described second network node;
According to the total quantity of session, determine the quantity of the session that comprises at least one communication stream between described first network node and described second network node; And
Total quantity based on described session and the described quantity that comprises the session of at least one communication stream are determined continuation between the session of described first network node.
15. equipment according to claim 14 (14), are also arranged to:
By the described quantity that comprises the session of at least one communication stream is determined to continuation ratio between session divided by the total quantity of described session, and
Continuation ratio and threshold value between determined session are compared, wherein, if described ratio surpasses described threshold value, described first network node (12) is considered as continuing.
16. according to the equipment described in claims 14 or 15 (14), are also arranged to:
At least one sessionizing is become to some sub-sessions;
For described at least one session, determine the quantity of the sub-session that comprises at least one communication stream between described first network node (12) and described second network node (13);
Quantity based on described sub-session and determining for continuation in the session of the described first network node of described at least one session for the described quantity of the sub-session that comprises at least one communication stream of described at least one session.
17. according to the equipment described in any one in claim 14 to 16 (14), are also arranged to:
By by the quantity of sub-session that comprises at least one communication stream divided by the described total quantity of the sub-session for described at least one session, determine for continuation ratio in the session of described session; And
Continuation ratio and threshold value in determined session are compared, wherein, if described ratio surpasses described threshold value, described first network node (12) is considered as continuing.
18. according to the equipment described in any one in claim 14 to 17 (14), are also arranged to: by monitoring that the network attachment of described first network node (13) determines with attachment removal information the total quantity that is connected session.
19. according to the equipment described in any one in claim 14 to 17 (14), are also arranged to: by monitoring that the packet data protocol PDP Context information of described first network node (13) determines the total quantity that connects session.
20. according to the equipment described in any one in claim 14 to 17 (14), are also arranged to: the dynamic host configuration protocol DHCP request by monitoring described first network node (13) is determined and is connected session with discharging.
21. according to the equipment described in any one in claim 14 to 20 (14), are also arranged to:
Send the warning that the described first network node of indication (12) moves constantly.
22. according to the equipment described in any one in claim 14 to 21 (14), are also arranged to: be recorded in the moment while there is the first communication stream between described first network node (12) and described second network node (13) during described appointment observation cycle.
23. according to the equipment described in any one in claim 14 to 22 (14), are also arranged to:
Communication stream between described first network node (12) during described appointment observation cycle and described second network node (13) is carried out to polymerization.
24. 1 kinds of equipment (14) for detection of the continuation of first network node (12), are arranged to:
During specifying observation cycle, monitor whether described first network node has been established to the connection of second network node (13);
Determine in the total quantity that is connected session betiding during described appointment observation cycle between described first network node and described second network node;
According to the total quantity of session, determine the quantity of the session that comprises at least one communication stream between described first network node and described second network node;
At least one sessionizing is become to some sub-sessions;
For described at least one session, determine the quantity of the sub-session that comprises at least one communication stream between described first network node and described second network node; And
Quantity based on described sub-session and the described quantity that comprises the sub-session of at least one communication stream are determined for continuation in the session of the described first network node of described at least one session.
25. equipment according to claim 24 (14), are also arranged to:
By the described quantity that comprises the sub-session of at least one communication stream is determined for continuation ratio in the session of described each session divided by the described total quantity of the sub-session for each session; And:
Continuation ratio and threshold value in determined session are compared, wherein, if continuation ratio surpasses described threshold value in described session, described first network node (12) is considered as continuing.
26. according to the equipment described in any one in claim 24 or 25 (14), are also arranged to:
Total quantity based on described session and the described quantity that comprises the session of at least one communication stream are determined continuation between the session of described first network node.
27. according to the equipment described in any one in claim 14 to 26 (14), and described equipment is one of GGSN, PDN-GW, SGW, SGSN, MME, RNC, BSC, NodeB, eNodeB, server, subscriber equipment, router, switch or safety device.
28. 1 kinds of computer programs (17) that comprise that computer can executive module, be used for: when the described computer of the upper operation of the processing unit (15) comprising at equipment (14) can executive module, described equipment is carried out according to the step described in any one in claim 1 to 13.
29. 1 kinds of computer programs that comprise computer-readable medium embody computer program according to claim 28 (17) in described computer-readable medium.
CN201280061399.3A 2011-12-12 2012-04-02 Method for detecting the lasting Malware on network node Active CN103988534B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US201161569343P 2011-12-12 2011-12-12
US61/569,343 2011-12-12
PCT/SE2012/000048 WO2013089607A1 (en) 2011-12-12 2012-04-02 Method for detection of persistent malware on a network node

Publications (2)

Publication Number Publication Date
CN103988534A true CN103988534A (en) 2014-08-13
CN103988534B CN103988534B (en) 2018-09-11

Family

ID=48612926

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201280061399.3A Active CN103988534B (en) 2011-12-12 2012-04-02 Method for detecting the lasting Malware on network node

Country Status (4)

Country Link
US (1) US9380071B2 (en)
EP (2) EP3404949B1 (en)
CN (1) CN103988534B (en)
WO (1) WO2013089607A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105868632A (en) * 2016-04-20 2016-08-17 北京金山安全软件有限公司 Method and device for intercepting and releasing DHCP (dynamic host configuration protocol)

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9344441B2 (en) * 2014-09-14 2016-05-17 Cisco Technology, Inc. Detection of malicious network connections
WO2016130050A1 (en) * 2015-02-09 2016-08-18 Telefonaktiebolaget Lm Ericsson (Publ) Mitigating the impact from internet attacks in a ran using internet transport
US9781136B2 (en) 2015-02-09 2017-10-03 Telefonaktiebolaget Lm Ericsson (Publ) Mitigating the impact from internet attacks in a RAN using internet transport
EP3257286B1 (en) 2015-02-09 2021-05-12 Telefonaktiebolaget LM Ericsson (publ) Mitigating the impact from internet attacks in a ran using internet transport
US10165004B1 (en) 2015-03-18 2018-12-25 Cequence Security, Inc. Passive detection of forged web browsers
US11418520B2 (en) * 2015-06-15 2022-08-16 Cequence Security, Inc. Passive security analysis with inline active security device
US20170201533A1 (en) * 2016-01-12 2017-07-13 T-Mobile Usa, Inc. Mobile aware intrusion detection system
US10009364B2 (en) * 2016-03-25 2018-06-26 Cisco Technology, Inc. Gathering flow characteristics for anomaly detection systems in presence of asymmetrical routing
US11120343B2 (en) * 2016-05-11 2021-09-14 Cisco Technology, Inc. Intelligent anomaly identification and alerting system based on smart ranking of anomalies
US10348755B1 (en) * 2016-06-30 2019-07-09 Symantec Corporation Systems and methods for detecting network security deficiencies on endpoint devices
US10992693B2 (en) 2017-02-09 2021-04-27 Microsoft Technology Licensing, Llc Near real-time detection of suspicious outbound traffic
US10756992B2 (en) 2017-12-13 2020-08-25 Micro Focus Llc Display of network activity data
US10432539B2 (en) 2017-12-13 2019-10-01 Micro Focus Llc Network traffic data summarization
WO2021245944A1 (en) * 2020-06-05 2021-12-09 富士通株式会社 Information processing program, information processing method, and information processing device
EP4375498A3 (en) 2022-11-07 2024-10-16 Mathers Hydraulics Technologies Pty Ltd Power amplification, storage and regeneration system and method using tides, waves and/or wind

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1750536A (en) * 2004-09-14 2006-03-22 国际商业机器公司 Method and system for managing denial of service attacks
CN101151868A (en) * 2005-03-31 2008-03-26 朗迅科技公司 Methods and devices for defending a 3G wireless network against a signaling attack
US7953852B2 (en) * 2008-12-31 2011-05-31 Intel Corporation Method and system for detecting and reducing botnet activity
CN102082836A (en) * 2009-11-30 2011-06-01 中国移动通信集团四川有限公司 DNS (Domain Name Server) safety monitoring system and method
US8112801B2 (en) * 2007-01-23 2012-02-07 Alcatel Lucent Method and apparatus for detecting malware

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8533819B2 (en) * 2006-09-29 2013-09-10 At&T Intellectual Property Ii, L.P. Method and apparatus for detecting compromised host computers
US20080307526A1 (en) * 2007-06-07 2008-12-11 Mi5 Networks Method to perform botnet detection
US8914878B2 (en) * 2009-04-29 2014-12-16 Juniper Networks, Inc. Detecting malicious network software agents
US7743419B1 (en) 2009-10-01 2010-06-22 Kaspersky Lab, Zao Method and system for detection and prediction of computer virus-related epidemics
US8438638B2 (en) * 2010-04-08 2013-05-07 At&T Intellectual Property I, L.P. Bot-network detection based on simple mail transfer protocol (SMTP) characteristics of e-mail senders within IP address aggregates

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1750536A (en) * 2004-09-14 2006-03-22 国际商业机器公司 Method and system for managing denial of service attacks
CN101151868A (en) * 2005-03-31 2008-03-26 朗迅科技公司 Methods and devices for defending a 3G wireless network against a signaling attack
US8112801B2 (en) * 2007-01-23 2012-02-07 Alcatel Lucent Method and apparatus for detecting malware
US7953852B2 (en) * 2008-12-31 2011-05-31 Intel Corporation Method and system for detecting and reducing botnet activity
CN102082836A (en) * 2009-11-30 2011-06-01 中国移动通信集团四川有限公司 DNS (Domain Name Server) safety monitoring system and method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105868632A (en) * 2016-04-20 2016-08-17 北京金山安全软件有限公司 Method and device for intercepting and releasing DHCP (dynamic host configuration protocol)
CN105868632B (en) * 2016-04-20 2018-11-16 北京金山安全软件有限公司 Method and device for intercepting and releasing DHCP (dynamic host configuration protocol)

Also Published As

Publication number Publication date
US9380071B2 (en) 2016-06-28
EP3404949B1 (en) 2019-09-25
WO2013089607A1 (en) 2013-06-20
WO2013089607A9 (en) 2014-08-14
EP2792178B1 (en) 2018-08-29
EP2792178A1 (en) 2014-10-22
US20150180898A1 (en) 2015-06-25
CN103988534B (en) 2018-09-11
EP2792178A4 (en) 2015-09-02
EP3404949A1 (en) 2018-11-21

Similar Documents

Publication Publication Date Title
CN103988534A (en) Method for detection of persistent malware on a network node
KR101070614B1 (en) Malicious traffic isolation system using botnet infomation and malicious traffic isolation method using botnet infomation
CN103607399B (en) Private IP network network safety monitoring system and method based on darknet
US8087085B2 (en) Wireless intrusion prevention system and method
CN108040057B (en) Working method of SDN system suitable for guaranteeing network security and network communication quality
CN101980506B (en) Flow characteristic analysis-based distributed intrusion detection method
Lee et al. On the detection of signaling DoS attacks on 3G/WiMax wireless networks
CN105025026A (en) Methods and devices for defending a 3G wireless network against malicious attacks
CN106713216A (en) Flow processing method, device and system
Bassil et al. Signaling oriented denial of service on LTE networks
CN103905265B (en) The detection method and device of newly added equipment in a kind of network
WO2011012056A1 (en) Method, system and equipment for detecting botnets
CN102882894A (en) Method and device for identifying attack
CN104539595A (en) An SDN Architecture and Working Method Integrating Threat Processing and Routing Optimization
Sou et al. Random packet inspection scheme for network intrusion prevention in LTE core networks
CN102638442B (en) System and method for detecting GTP (GPRS Tunnel Protocol) attack
CN1725709A (en) Method of linking network equipment and invading detection system
KR101466895B1 (en) Method of detecting voip fraud, apparatus performing the same and storage media storing the same
CN101997821A (en) IMS (IP Multimedia Subsystem) network monitoring method, equipment and system
KR101587845B1 (en) Method for detecting distributed denial of services attack apparatus thereto
KR101149587B1 (en) Method for detecting signaling dos traffic in 3g wcdma networks
Park et al. Threats and countermeasures on a 4G mobile network
KR101564228B1 (en) SYSTEM FOR DETECTING SIGNALING DoS TRAFFIC IN MOBILE COMMUNICATION NETWORK AND METHOD THEREOF
CN109547442B (en) A kind of GTP protocol protection method and device
Park et al. Real threats using GTP protocol and countermeasures on a 4G mobile grid computing environment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant